IT Governance, Risk, and Compliance

Technology deployment and associated management information systems can provide a competitive advantage as well as increased control requirements. Legal noncompliance risks are an irrefutable fact, where consequences range from significant financial penalties to the threat of damage to an entity’s reputation. IT auditors are indirectly, if not directly, an entity control mechanism assuring mandated compliance expectations are adequately addressed by management. In one form or another, ensuring legal compliance serves as a significant information security audit objective for most entities. Amplifying information security criticality is the number of IAP related laws and regulations impacting compliance expectations.

Source:

Bakman, Alex. “If Compliance Is So Critical, Why Are We Still Failing Audits? How to Minimize Failure and Make the Audit Process Easier.” Information Systems Control Journal, vol. 5 (2007).

The most common audit practice laws and regulations influences are evidence collection and perseverance. Where legal compliance audits are decreed, if an illegal act is suspected, IT auditors must ensure evidential legal mandates are satisfied in order to successfully provide authorities with untainted items to prosecute alleged perpetrators. Additionally, when an IT auditor is performing audits on an international scale, understanding various evidentiary requirements can become critical to a professional audit practice. Under most circumstances, reflective of ISACA’s standard for Irregularities and Illegal Acts, audit evidence available to the IT auditor during an IAP legal compliance audit should be persuasive in nature rather than conclusive for demonstrating due diligence.

Accountability is responsibility for performance against agreed-upon expectations either stated and/or implied. Professionally, an IT auditor should exercise due caution from disclosing information acquired in the course of an engagement to any person other than the entity’s dually appointed representatives, without consent or otherwise, as required by any statute for the time being in force. An IT auditor “should always keep in view the various regulatory and statutory issues applicable” to the entity being audited to provide reasonable assurance of compliance with information disclosure mandates. For example, IT auditors should disclose IAP related information as required by law and, where appropriate, with client consent.

Regarding laws and regulations, when professional standards are applied to compliance engagements, an IT auditor has the right to believe that management has established appropriate controls to prevent, deter and detect illegal acts, unless tests and evaluations carried on by an IT auditor prove otherwise. Furthermore, IT auditors should forego utilizing unlicensed tools and software when conducting IAP audit assignments.

Professional prudence dictates legal mandates impacting IT-IAP audit practice areas should be thoroughly understood by audit team members prior to proceeding with fieldwork. Specifically, IT auditors “should review compliance with applicable statutory laws, regulations as well as contracts and, where applicable, seek legal guidance” when participating in an IAP related audit. Therefore, through preliminary discussions with a practicing attorney, an IT auditor should acquire sufficient knowledge to identify illegal act indicators. However, an IT auditor should not be expected to have the expertise of individuals whose primary responsibility is detecting and investigating illegal acts.

Government sponsored laws and regulations can influence auditor conduct and impose IT audit practice requirements. Therefore, applying ISACA’s Professional Ethics and Standards, an IT auditor “should maintain the highest degree of integrity and conduct, and not adopt any methods that could be seen as unlawful, unethical or unprofessional to obtain or execute audit assignments.” Considering ISACA’s assurance service standard for avoiding government imposed mandates transgressions by general members and certified individuals; practicing IT auditors should pursue sustaining currency with applicable information assets protection (IAP) related laws and regulations.

Generally, audit has a responsibility for ensuring that (1) independence and objectivity are maintained in all phases of assignments, (2) professional judgment is utilized in planning approaches, performing procedures, and reporting results of engagements, (3) work is conducted by personnel who are professionally competent and collectively have the necessary skills and knowledge, and (4) an independent peer review is periodically performed resulting in an opinion issued as to whether the audit quality control system is designed and operated to provide reasonable assurance of conforming with professional standards as well as legal mandates.

An entity in a multiple-compliance scenario may benefit by developing a centralized oversight function that evaluates controls across all compliance arenas, interfaces with auditors for each compliance area and provides direction on the most cost-effective controls that maximize total compliance benefit.

Generally, there are three main dimensions to jurisdiction decisions: procedural, substantive, and enforcement issues. Procedural jurisdiction considers which court or state has the proper authority. Substantive jurisdiction determines which rules should be applied. Whereby, enforcement jurisdiction addresses how court decisions should be implemented. The principal criteria employed when establishing jurisdiction in particular cases are:

Personal Link – normally considered as the state’s right to govern its citizens wherever they might be located;

Territorial Link – generally presented as the state’s right to govern persons and property within its geographical domain;

Effects Link – usually defined as the state’s right to rule on the economic and legal outcomes regarding a particular territory, stemming from activities conducted elsewhere.

International jurisdiction is based predominantly on geographical world division into national territories. Within these geographical divisions, each established government has the sovereign right to exercise magistracy over its territory. However, upon detection of an illegal act, if a citizen of a country commits an IT-related crime in another country, problems may arise when the perpetrator is residing in their home country during violation discovery. For instance, when attempting to convict computer-related crime suspects, many countries resist extraditing nationals. In such situations, as feasible legal strategies, an existing rules extension to the extraterritorial jurisdiction or a change in proceedings venue can be considered; with a perspective for creating the necessary prerequisites enabling successful prosecution in at least one jurisdiction linked to the illegal act. Collaboratively, mutual assistance agreements, extradition laws, recognition and reciprocity provisions, legal proceedings transfers and other international cooperation in matters relating to IAP may facilitate aid to extraterritorial jurisdictional issues during violation investigations, apprehension of perpetrators as well as court appearances.